Tom, you are totally, 100%, wrong.

Security through obscurity does not work. Your claim that only the black hats win is very short sighted.

Let's take a small scenario of a bank. Let's assume a critical remote exploit is found in the OS they use. Now let's assume that this exploit cannot be blocked at the firewall (takes advantage of web services or some such idea). The bank is in the dark, but the black hat (who is researching with the same tools and just as quickly as the white hat) knows that he can exploit this. So, he does. The bank loses millions due to data theft and loss of reputation, the customers lose millions due to identity theft, and the software company gets off scott free because not a soul knows about the exploit.